Confidentiality Policy

Version: 1.2

Last Reviewed: January 2026
Next Review Date: January 2027
Responsible Person: Johanna Condon, Director and Clinical Lead

1. Purpose

The purpose of this policy is to ensure that all client information handled by Jo Condon Autism Assessments is treated with the highest standards of confidentiality, integrity, and respect.

This policy outlines how personal and sensitive information is collected, stored, shared, and protected in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and professional ethical standards.

2. Scope

This policy applies to:

  • All staff, associates, contractors, and volunteers working for or on behalf of Jo Condon Autism Assessments.
  • All formats of information — including verbal, written, digital, and recorded data.
  • All service users, including children, young people, and adults.

3. Principles of Confidentiality

We uphold the following key principles:

  1. Respect: All client information is handled sensitively and respectfully.
  2. Necessity: Information is shared only when necessary for care or legal compliance.
  3. Transparency: Clients are informed how their information is used and with whom it may be shared.
  4. Security: Confidential data is securely stored and transmitted.
  5. Accountability: All staff, including contractors and volunteers, are responsible for maintaining confidentiality at all times.

4. Information We Hold

We may hold the following types of information:

  • Personal details (name, contact details, date of birth)
  • Medical and developmental history
  • Screening questionnaires
  • Assessment results, reports, and professional notes
  • Correspondence with other professionals (GPs, schools, etc.)
  • Financial and billing records
  • Consent forms and service agreements

5. Confidential Information

Confidential information includes any information about a client, their family, or their circumstances that is not publicly known and is shared with us in trust. This includes:

  • Verbal disclosures made during any stage of the assessment process
  • Written or electronic notes and reports
  • Information shared by third-party informants (e.g., relatives, school staff)

6. Sharing Information

Client information will only be shared:

  • With the client’s explicit written consent, or
  • Where required by law, or
  • Where there is serious concern about risk of harm to the client or another person.

Examples include:

  • Disclosure of abuse, neglect, or safeguarding concerns.
  • A court order requiring disclosure.
  • Risk of serious self-harm or harm to others.

When information must be shared without consent, we will inform the client wherever possible and appropriate, unless doing so would increase the risk of harm.

7. Confidentiality in Multi-Professional Work

When working with other professionals (e.g., GPs, psychologists, occupational therapists, schools):

  • Information is shared on a need-to-know basis.
  • Reports and summaries are shared only with consent, unless legally required.
  • The client will be informed of those receiving the information.

8. Data Security and Storage

  • Electronic records are stored on encrypted, password-protected systems.
  • Paper records are not kept, and paper notes made during the assessment are transferred to digital notes with the paper copies destroyed.
  • Emails containing personal data are sent via encrypted or secure systems.
  • Video interviews are not recorded or stored.

9. Retention and Disposal

Records are kept for the following minimum periods:

  • Adults: 7 years after the last contact
  • Children: until their 25th birthday (or 26th if aged 17 at last contact)

After this period, records are securely destroyed by shredding or permanent digital deletion.

10. Confidentiality Online and During Remote Assessments

When assessments are conducted online:

  • Sessions take place on a secure, encrypted video platform (MS Teams).
  • Clients are advised to use a private, quiet space to maintain confidentiality.
  • Staff ensure all notes are stored securely, remote sessions are not recorded.

11. Staff Responsibilities

All staff, associates, and contractors must:

  • Sign a confidentiality agreement before commencing work.
  • Complete data protection and safeguarding training annually.
  • Report any breaches of confidentiality immediately to the Data Protection Lead, Jo Condon.

12. Breaches of Confidentiality

If a breach occurs (e.g., data loss, unauthorised access, accidental disclosure):

  • It must be reported to the Data Protection Lead within 24 hours.
  • Serious breaches will be reported to the Information Commissioner’s Office (ICO) within 72 hours, in line with GDPR requirements.
  • Clients affected will be informed of the breach and advised on next steps.

13. Client Rights

Clients have the right to:

  • Access their records
  • Request correction of inaccurate data
  • Withdraw consent for data sharing (where applicable)
  • Complain if they believe their confidentiality has been breached

Complaints can be submitted to jo@jocondon.co.uk or to the ICO (www.ico.org.uk).

14. Review and Monitoring

This policy will be reviewed annually or sooner if required by law, professional guidance, or organisational change.

Approved by: Jo Condon
Last Review Date: January 2026
Next Review Date: January 2027